The document discusses various troubleshooting techniques for Docker including using tools like socat and curl to characterize networking and TLS issues, checking container processes and permissions, using volumes to store persistent data, and resolving issues with incorrect localhost references between containers. It also provides examples of troubleshooting issues with a Minecraft server, Ruby application, and Nginx proxy configuration.
18. Three Types
1. Host volume "I want my data to be here specifically"
2. Named Volume "I want to refer to my data later easily"
3. Anonymous Volume "I just want a volume"
Volumes
19. # Host Volume
$ docker run -v /opt/hostpath:/container/data …
# Named Volume
$ docker run -v important_stuff:/container/data …
# Anonymous Volume
$ docker run -v /container/data …
Volume Types
21. $ docker diff old
…
C /opt/minecraft
A /opt/minecraft/server.properties
A /opt/minecraft/world
A /opt/minecraft/world/region
A /opt/minecraft/world/region/r.0.0.mca
…
Put data in a volume
22. $ docker volume create minecraft
$ docker create --name new
-p 25565:25565
-v minecraft:/opt/minecraft
mc:1.11.2
$ docker cp old:/opt/minecraft minecraft
$ docker cp minecraft new:/opt/
$ docker start new
Put data in a volume
28. Useful for local development
This development environment needs a test database.
By default, it creates an sqlite3 file called test.db
This can be initialized with the 'init.sql' file in the project
Host Volumes
29. $ sqlite3 -bail test.db < init.sql
Error: near line 1: attempt to write a readonly database
Jane's Ruby App
31. Permission and ownership issues are dealt with in the
same way with and without docker.
The numeric uid is what matters.
Permissions and Ownership
32. $ sqlite3 -bail test.db < init.sql
Error: near line 1: attempt to write a readonly database
$ ls -lin
…
6721104 -rw-r--r-- 1 1000 1000 163 Apr 18 2017 init.sql
6721145 -rw-r--r-- 1 0 0 0 Apr 18 2017 test.db
Jane's Ruby App
33. Characterization and Hypothesis
● Files created by the container are owned by uid 0
● The image's default user is uid 0
● test.db file permissions are 0644
● sqlite3 is running as uid 1000 (jane)
Hypothesis: this is a normal permissions/ownership
issue.
Permissions and Ownership
34. Characterization and Hypothesis
Do these:
● chown 1000 test.db
● run container as uid 1000
Avoid these:
● chmod 777
● sudo sqlite3
Permissions and Ownership
35. examples of containerized process writing files
● database files
● pid files
● bytecode caching
● in-app file uploads
● plugin/theme installation
● log files
Permissions and Ownership
36. Docker for Mac
Docker for Mac shares files from macos host to hyperkit VM
This file sharing mechanism will ensure files written by
containers will always match your macos user id
Host Volumes
48. 502 Characterization and Hypothesis
● curl localhost:8000 does not work from nginx container
(connection refused)
● curl localhost:8000 works from the app container
● curl 172.18.0.5:8000 works from the nginx container
● curl 172.18.0.5:8000 works from the app container
Networking
50. 502 Characterization and Hypothesis
Hypothesis: nginx using the 'localhost' upstream is incorrect
Test: update the nginx config file with the container ip.
Networking
55. Network Service Discovery
How will nginx discover the IP going forward?
Docker runs a resolver at 127.0.0.11.
It resolves container ips by their --name or --net-alias
Networking
65. Installed New Certs
● Chrome no longer complains about the self signed
certificate
● docker run and docker service still work as they did
before
TLS
68. TLS issue reported after cert install
● TLS error when using compose
● Same endpoint works in browser
● Same endpoint works with `docker` CLI
Hypothesis: compose has different TLS client
expectations from this TLS endpoint
TLS
69. TLS issues don't need to be scary
Cheat sheet (check the following):
● Subject/Alt name match
● Full Chain of Trust
● Chain Root is trusted
TLS
70. TLS issues don't need to be scary
Cheat sheet (check the following):
● Subject/Alt name match correct
● Full Chain of Trust
● Chain Root is trusted
TLS
73. TLS issues don't need to be scary
Cheat sheet (check the following):
● Subject/Alt name match correct
● Full Chain of Trust missing root
● Chain Root is trusted
TLS
77. TLS issues don't need to be scary
Cheat sheet (check the following):
● Subject/Alt name match correct
● Full Chain of Trust correct
● Chain Root is trusted
TLS
78. TLS issues don't need to be scary
Cheat sheet (check the following):
● Subject/Alt name match correct
● Full Chain of Trust correct
● Chain Root is trusted correct
TLS
79. $ source env.sh
$ docker-compose up -d
…
Creating network "acme_default" with the default driver
Creating acme_tomcat_1
Creating acme_apache_1
docker-compose working
80. TLS issue when using compose
● TLS works when using compose
● Same endpoint works in browser
● Same endpoint works with `docker` CLI
Python TLS client wants the certificate authority it trusts
to be a root certificate.
TLS
83. Amber keeps up pace by
being proactive
She has several general
troubleshooting tactics
that help characterize
issuesWorks at a big company
Has been a sysadmin,
developer, network admin
Currently technical lead on
the devops team
Amber
84. Tools - command line utilities
● socat - bidirectional communication over tcp, udp,
stdio, pipes, unix domain sockets, etc
● curl - make web requests
● jq - parse, filter, create json text
● regular network tools - iptables, ipvsadm, route, ip,
arp, tcpdump, ifconfig
● nsenter - enter a namespace
Amber's Toolbox
90. Techniques
Host A container networking is working
Host B container networking is not
They are seemingly identical
How to identify the differences?
graphical diff!
Amber's Toolbox
91.
92.
93. Techniques - How to Ask a Question
Amber's Toolbox
<statement of observation>
|---------------------------|
| demonstration of relevant observations
|---------------------------|
<question>
94. Techniques - How to Ask a Question
Amber's Toolbox
<statement of observation>
|---------------------------|
| demonstration of relevant observations
|---------------------------|
<question>
Characterization
Hypothesis
95. Techniques - How to Ask a Question
Amber's Toolbox
I'm getting a 502 error when I hit the staging acmecorp endpoint
$ curl -vkL https://staging.internal.acmecorp.com/_ping/
…
Is there a deploy happening now?
96. Becoming a Troubleshooting Pro
● Docker Forums
https://forums.docker.com/
● Docker Community Slack
https://dockr.ly/community
What you can do
97. THANK YOU
Be a troubleshooting pro!
@docker #dockercon
Jeff Anderson @programm3rq